From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: Documenting the ioctl interfaces to discover relationships between namespaces Date: Mon, 12 Dec 2016 11:30:38 +1300 Message-ID: <87poky5ca9.fsf@xmission.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: (Michael Kerrisk's message of "Sun, 11 Dec 2016 12:54:56 +0100") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Michael Kerrisk (man-pages)" Cc: Serge Hallyn , Andrei Vagin , Linux API , Containers , lkml , James Bottomley , Alexander Viro , "linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" List-Id: containers.vger.kernel.org Ik1pY2hhZWwgS2VycmlzayAobWFuLXBhZ2VzKSIgPG10ay5tYW5wYWdlc0BnbWFpbC5jb20+IHdy aXRlczoKCj4gW3dhczogW1BBVENIIDAvNCB2M10gQWRkIGFuIGludGVyZmFjZSB0byBkaXNjb3Zl ciByZWxhdGlvbnNoaXBzCj4gYmV0d2VlbiBuYW1lc3BhY2VzXQoKT25lIHNtYWxsIGNvbW1lbnQg YmVsb3cuCgo+Cj4gICAgSW50cm9zcGVjdGluZyBuYW1lc3BhY2UgcmVsYXRpb25zaGlwcwo+ICAg ICAgICBTaW5jZSBMaW51eCA0LjksIHR3byBpb2N0bCgyKSBvcGVyYXRpb25zICBhcmUgIHByb3Zp ZGVkICB0byAgYWxsb3cKPiAgICAgICAgaW50cm9zcGVjdGlvbiAgb2YgIG5hbWVzcGFjZSByZWxh dGlvbnNoaXBzIChzZWUgdXNlcl9uYW1lc3BhY2VzKDcpCj4gICAgICAgIGFuZCBwaWRfbmFtZXNw YWNlcyg3KSkuICBUaGUgZm9ybSBvZiB0aGUgY2FsbHMgaXM6Cj4KPiAgICAgICAgICAgIGlvY3Rs KGZkLCByZXF1ZXN0KTsKPgo+ICAgICAgICBJbiBlYWNoIGNhc2UsIGZkIHJlZmVycyB0byBhIC9w cm9jL1twaWRdL25zLyogZmlsZS4KPgo+ICAgICAgICBOU19HRVRfVVNFUk5TCj4gICAgICAgICAg ICAgICBSZXR1cm5zIGEgZmlsZSBkZXNjcmlwdG9yIHRoYXQgcmVmZXJzIHRvICB0aGUgIG93bmlu ZyAgdXNlcgo+ICAgICAgICAgICAgICAgbmFtZXNwYWNlIGZvciB0aGUgbmFtZXNwYWNlIHJlZmVy cmVkIHRvIGJ5IGZkLgo+Cj4gICAgICAgIE5TX0dFVF9QQVJFTlQKPiAgICAgICAgICAgICAgIFJl dHVybnMgIGEgZmlsZSBkZXNjcmlwdG9yIHRoYXQgcmVmZXJzIHRvIHRoZSBwYXJlbnQgbmFtZXPi gJAKPiAgICAgICAgICAgICAgIHBhY2Ugb2YgdGhlIG5hbWVzcGFjZSByZWZlcnJlZCB0byBieSBm ZC4gIFRoaXMgb3BlcmF0aW9uIGlzCj4gICAgICAgICAgICAgICB2YWxpZCAgb25seSBmb3IgaGll cmFyY2hpY2FsIG5hbWVzcGFjZXMgKGkuZS4sIFBJRCBhbmQgdXNlcgo+ICAgICAgICAgICAgICAg bmFtZXNwYWNlcykuICBGb3IgdXNlciBuYW1lc3BhY2VzLCBOU19HRVRfUEFSRU5UIGlzIHN5bm9u eeKAkAo+ICAgICAgICAgICAgICAgbW91cyB3aXRoIE5TX0dFVF9VU0VSTlMuCj4KPiAgICAgICAg SW4gZWFjaCBjYXNlLCB0aGUgcmV0dXJuZWQgZmlsZSBkZXNjcmlwdG9yIGlzIG9wZW5lZCB3aXRo IE9fUkRPTkxZCj4gICAgICAgIGFuZCBPX0NMT0VYRUMgKGNsb3NlLW9uLWV4ZWMpLgo+Cj4gICAg ICAgIEJ5IGFwcGx5aW5nIGZzdGF0KDIpIHRvIHRoZSByZXR1cm5lZCBmaWxlIGRlc2NyaXB0b3Is IG9uZSAgb2J0YWlucwo+ICAgICAgICBhICBzdGF0IHN0cnVjdHVyZSB3aG9zZSBzdF9pbm8gKGlu b2RlIG51bWJlcikgZmllbGQgaWRlbnRpZmllcyB0aGUKPiAgICAgICAgb3duaW5nL3BhcmVudCBu YW1lc3BhY2UuICBUaGlzIGlub2RlIG51bWJlciBjYW4gIGJlICBtYXRjaGVkICB3aXRoCj4gICAg ICAgIHRoZSAgaW5vZGUgIG51bWJlciAgb2YgIGFub3RoZXIgIC9wcm9jL1twaWRdL25zL3twaWQs dXNlcn0gZmlsZSB0bwo+ICAgICAgICBkZXRlcm1pbmUgd2hldGhlciB0aGF0IGlzIHRoZSBvd25p bmcvcGFyZW50IG5hbWVzcGFjZS4KCkxpa2UgYWxsIGZzdGF0IGlub2RlIGNvbXBhcmlzb25zIHRv IGJlIGZ1bGx5IGFjY3VyYXRlIHlvdSBuZWVkIHRvCmNvbXBhcmUgYm90aCB0aGUgc3RfaW5vIGFu ZCBzdF9kZXYuICBJIHJlc2VydmUgdGhlIHJpZ2h0IGZvciBzdF9kZXYgdG8KYmUgc2lnbmlmaWNh bnQgd2hlbiBjb21wYXJpbmcgbmFtZXNwYWNlcy4gIE90aGVyd2lzZSBJIG1pZ2h0IGhhdmUgdG8K Y3JlYXRlIGEgbmFtZXNwYWNlIG9mIG5hbWVzcGFjZXMgc29tZWRheSBhbmQgdGhhdCBpcyB1Z2x5 LgoKPiAgICAgICAgRWl0aGVyIG9mIHRoZXNlIGlvY3RsKDIpIG9wZXJhdGlvbnMgY2FuIGZhaWwg IHdpdGggIHRoZSAgZm9sbG93aW5nCj4gICAgICAgIGVycm9yOgo+Cj4gICAgICAgIEVQRVJNICBU aGUgIHJlcXVlc3RlZCAgbmFtZXNwYWNlIGlzIG91dHNpZGUgb2YgdGhlIGNhbGxlcidzIG5hbWVz 4oCQCj4gICAgICAgICAgICAgICBwYWNlIHNjb3BlLiAgVGhpcyBlcnJvciBjYW4gb2NjdXIgaWYs IGZvciBleGFtcGxlLCB0aGUgb3du4oCQCj4gICAgICAgICAgICAgICBpbmcgIHVzZXIgIG5hbWVz cGFjZSBpcyBhbiBhbmNlc3RvciBvZiB0aGUgY2FsbGVyJ3MgY3VycmVudAo+ICAgICAgICAgICAg ICAgdXNlciBuYW1lc3BhY2UuICBJdCBjYW4gYWxzbyBvY2N1ciBvbiAgYXR0ZW1wdHMgIHRvICBv YnRhaW4KPiAgICAgICAgICAgICAgIHRoZSBwYXJlbnQgb2YgdGhlIGluaXRpYWwgdXNlciBvciBQ SUQgbmFtZXNwYWNlLgo+Cj4gICAgICAgIEFkZGl0aW9uYWxseSwgIHRoZSAgTlNfR0VUX1BBUkVO VCBvcGVyYXRpb24gY2FuIGZhaWwgd2l0aCB0aGUgZm9s4oCQCj4gICAgICAgIGxvd2luZyBlcnJv cjoKPgo+ICAgICAgICBFSU5WQUwgZmQgcmVmZXJzIHRvIGEgbm9uaGllcmFyY2hpY2FsIG5hbWVz cGFjZS4KPgo+ICAgICAgICBTZWUgdGhlIEVYQU1QTEUgc2VjdGlvbiBmb3IgYW4gZXhhbXBsZSBv ZiB0aGUgdXNlIG9mIHRoZXNlICBvcGVyYeKAkAo+ICAgICAgICB0aW9ucy4KPgo+ICAgIFsuLi5d CgpFcmljCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCkNv bnRhaW5lcnMgbWFpbGluZyBsaXN0CkNvbnRhaW5lcnNAbGlzdHMubGludXgtZm91bmRhdGlvbi5v cmcKaHR0cHM6Ly9saXN0cy5saW51eGZvdW5kYXRpb24ub3JnL21haWxtYW4vbGlzdGluZm8vY29u dGFpbmVycw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out02.mta.xmission.com ([166.70.13.232]:54336 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753887AbcLKWdn (ORCPT ); Sun, 11 Dec 2016 17:33:43 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: "Michael Kerrisk \(man-pages\)" Cc: Andrei Vagin , Containers , Linux API , lkml , "linux-fsdevel\@vger.kernel.org" , James Bottomley , "W. Trevor King" , Alexander Viro , Serge Hallyn References: Date: Mon, 12 Dec 2016 11:30:38 +1300 In-Reply-To: (Michael Kerrisk's message of "Sun, 11 Dec 2016 12:54:56 +0100") Message-ID: <87poky5ca9.fsf@xmission.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Subject: Re: Documenting the ioctl interfaces to discover relationships between namespaces Sender: linux-fsdevel-owner@vger.kernel.org List-ID: "Michael Kerrisk (man-pages)" writes: > [was: [PATCH 0/4 v3] Add an interface to discover relationships > between namespaces] One small comment below. > > Introspecting namespace relationships > Since Linux 4.9, two ioctl(2) operations are provided to allow > introspection of namespace relationships (see user_namespaces(7) > and pid_namespaces(7)). The form of the calls is: > > ioctl(fd, request); > > In each case, fd refers to a /proc/[pid]/ns/* file. > > NS_GET_USERNS > Returns a file descriptor that refers to the owning user > namespace for the namespace referred to by fd. > > NS_GET_PARENT > Returns a file descriptor that refers to the parent names‐ > pace of the namespace referred to by fd. This operation is > valid only for hierarchical namespaces (i.e., PID and user > namespaces). For user namespaces, NS_GET_PARENT is synony‐ > mous with NS_GET_USERNS. > > In each case, the returned file descriptor is opened with O_RDONLY > and O_CLOEXEC (close-on-exec). > > By applying fstat(2) to the returned file descriptor, one obtains > a stat structure whose st_ino (inode number) field identifies the > owning/parent namespace. This inode number can be matched with > the inode number of another /proc/[pid]/ns/{pid,user} file to > determine whether that is the owning/parent namespace. Like all fstat inode comparisons to be fully accurate you need to compare both the st_ino and st_dev. I reserve the right for st_dev to be significant when comparing namespaces. Otherwise I might have to create a namespace of namespaces someday and that is ugly. > Either of these ioctl(2) operations can fail with the following > error: > > EPERM The requested namespace is outside of the caller's names‐ > pace scope. This error can occur if, for example, the own‐ > ing user namespace is an ancestor of the caller's current > user namespace. It can also occur on attempts to obtain > the parent of the initial user or PID namespace. > > Additionally, the NS_GET_PARENT operation can fail with the fol‐ > lowing error: > > EINVAL fd refers to a nonhierarchical namespace. > > See the EXAMPLE section for an example of the use of these opera‐ > tions. > > [...] Eric